Oracle and BEA Products Multiple Vulnerabilities
RISK: Medium Risk
Multiple vulnerabilities have been identified in various Oracle and BEA products, which could be exploited by remote or local attackers to cause a denial of service, read and manipulate certain data, disclose sensitive information, conduct SQL injection attacks, bypass security restrictions, or execute arbitrary commands.
These issues are caused by errors in the Resource Manager, Core RDBMS, Workspace Manager, Advanced Queuing, Database Vault, SQLX Functions, Cluster Ready Services, Listener, Application Express, Password Policy, OPMN, BI Publisher, Outside In Technology, Portal, Oracle Application Object Library, Oracle Applications Framework, Oracle Applications Technology Stack, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise HRMS - eBenefits, JRockit, WebLogic Server, WebLogic Portal, and Oracle Data Service Integrator (AquaLogic Data Services Platform).
Impact
- Denial of Service
- Remote Code Execution
- Information Disclosure
System / Technologies affected
- Oracle Database 11g, version 11.1.0.6, 11.1.0.7
- Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
- Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
- Oracle Outside In SDK HTML Export 8.2.2, 8.3.0
- Oracle XML Publisher 5.6.2, 10.1.3.2, 10.1.3.2.1
- Oracle BI Publisher 10.1.3.3.0 10.1.3.3.1, 10.1.3.3.2, 10.1.3.3.3, 10.1.3.4
- Oracle E-Business Suite Release 12, version 12.0.6
- Oracle E-Business Suite Release 11i, version 11.5.10.2
- PeopleSoft Enterprise PeopleTools versions: 8.49
- PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
- Oracle WebLogic Server 10.3
- Oracle WebLogic Server 9.0 GA, 9.1 GA, 9.2 through 9.2 MP3
- Oracle WebLogic Server 8.1 through 8.1 SP6
- Oracle WebLogic Server 7.0 through 7.0 SP7
- Oracle WebLogic Portal 8.1 through 8.1 SP6
- Oracle Data Service Integrator 10.3.0 and Oracle AquaLogic Data Services Platform (formerly BEA ALDSP) 3.2, 3.0.1, 3.0
- Oracle JRockit (formerly BEA JRockit) R27.6.2 and earlier (JDK/JRE 6, 5, 1.4.2)
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
Apply Critical Patch Update Advisory - April 2009 :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Vulnerability Identifier
- CVE-2009-0972
- CVE-2009-0973
- CVE-2009-0974
- CVE-2009-0975
- CVE-2009-0976
- CVE-2009-0977
- CVE-2009-0978
- CVE-2009-0979
- CVE-2009-0980
- CVE-2009-0981
- CVE-2009-0982
- CVE-2009-0983
- CVE-2009-0984
- CVE-2009-0985
- CVE-2009-0986
- CVE-2009-0988
- CVE-2009-0989
- CVE-2009-0990
- CVE-2009-0991
- CVE-2009-0992
- CVE-2009-0993
- CVE-2009-0994
- CVE-2009-0995
- CVE-2009-0996
- CVE-2009-0997
- CVE-2009-0998
- CVE-2009-0999
- CVE-2009-1000
- CVE-2009-1001
- CVE-2009-1002
- CVE-2009-1003
- CVE-2009-1004
- CVE-2009-1005
- CVE-2009-1006
- CVE-2009-1008
- CVE-2009-1009
- CVE-2009-1010
- CVE-2009-1011
- CVE-2009-1012
- CVE-2009-1013
- CVE-2009-1014
- CVE-2009-1016
- CVE-2009-1017
Source
Related Link
Share with